|
| ▲ | tacticus 2 hours ago | parent | next [-] |
| npm isn't the issue there it's the ts\js community and their desire to use a library for everything. in communities that do not consider dependencies to be a risk you will find this showing up in time. The node supply chain attacks are also not unique to node community. you see them happening on crates.io and many other places. In fact the build time scripts that cause issues on node modules are probably worse off with the flexibility of crate build scripts and that they're going to be harder to work around than in npm. |
|
| ▲ | nl 2 hours ago | parent | prev | next [-] |
| I don't see how that follows. uv doesn't exactly stop python package supply chain attacks... |
|
| ▲ | zahlman 3 hours ago | parent | prev [-] |
| That argument is FUD. The people who created the NPM package manager are not the people who wrote your dependencies. Further, supply chain attacks occur for reasons that are entirely outside NPM's control. Fundamentally they're a matter of trust in the ecosystem — in the very idea of installing the packages in the first place. |
